GKE Ingress SSL with Google Managed Certificates

Abhi
3 min readFeb 3, 2022

--

GCP has a managed service“Google-managed certificates”. Google-managed SSL certificates are Domain Validation (DV) certificates that Google Cloud obtains and manages for your domains. which can be attached to our GKE ingree for free! They support multiple hostnames in each certificate, and Google renews the certificates automatically. It is a convenient feature wherein the SSL certificates are provisioned and managed for your domain names using GKE ingress.

Prerequisites

  • You must have an FQDN in Google Domains or another registrar ( Godaddy.com, Cloudflare.com, etc)
  • Enable HttpLoadBalancing add-on in GKE cluster
  • Have to keep Ingress and ManagedCertificate in the same namespace
  1. Create a global reserved external IP address.

after setting up gcloud in your console, run the commands to attach an IP to your GCP account. also, a name has to be passed to annotate the IP.

gcloud compute addresses create <IP_NAME> --globalgcloud compute addresses describe <IP_NAME> --global#output will be sililar to,
#address: 214.5.73.12

You need to configure this IP address in your domain’s DNS records.

2. Setting up a Google-managed certificate & ingress

Now, let's create a ManagedCertificate object in cluster. This resource specifies the domains for the SSL certificate. Wildcard domains are not supported.

kubectl create -f ingress.yaml

You can check certificate resource status using the below command

kubectl get managedcertificate -n project-dev
kubectl get ingress -n project-dev 

Ingress and certificate will take time to get provisioned. to finish setting up.

Note: The certificate would take some 45–60 minutes to get activated

I used a script to check the status of certificate, as it took random duration to get provisioned.

while sleep 1; do k -n project-dev describe  managedcertificate.networking.gke.io/ingress-dev | grep Provisioning; date ; done

Finally, the ‘Certificate’ resource will be updated, Domain Status changes to Status: Active. Now, we can verify that SSL/TLS is working by visiting our domain.

https://a.domain.com

--

--

Abhi

Hello world, Basically a Linux evangelist, Working as a DevOps engineer — ♥ www.abhinand.in/